[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: passwords in subversion

From: Ben Reser <ben_at_reser.org>
Date: 2005-02-28 22:38:09 CET

On Sat, Dec 11, 2004 at 01:46:50PM -0600, Ben Collins-Sussman wrote:
> On Dec 11, 2004, at 1:17 PM, Rainer Pröbster wrote:
> >
> >I find it unnecessary problematic that in the not uncommon case that
> >you don't
> >want or can't use an apache server (your first usecase) and you don't
> >or
> >can't use ssh (your third usecase) you have to write your passwords
> >plain
> >into a text file (your second usecase) in subversion.
> >Nowaday nearly every "normal" (linux) program which is critical for
> >the system
> >(like every server is) stores it's passwords in an encrypted file,
> >mostly in a simple linux password file.
> >I really _hate_ it to edit clear text password files, as everyone who
> >just
> >passes behind me, can read them!! It's just unprofessional!
> >If one could use "normal" linux password files with the svnserve server
> >program (which I prefer much over the apache-plugin btw.) there would
> >also be
> >big advantages like reusing existing files or admin-programs.
> >
>
> Hey Ben Reser -- do you believe me now? Rainer is repeating what I've
> heard over and over: that despite making a file chmod 700, users still
> complain about the fact that "everyone who passes" by the screen can
> read them. This is why I continue to advocate even *trivial* ciphering
> like rot13. I'm tired of hearing this complaint.

Okay this is once again talking about the server side. I think you've
confused the server side issue with the client side issue over and over.
I understand the admins complaining about this on the server side. But
the reason the passwords are stored in clear text is because of the
authentication design that Greg Hudson chose for svnserve. This only
applies to svnserve and only if you're not using ssh. The solution is
to either implement our own new authentication protocol that allows
plaintext passwords (especially since SSL is now in the pipe for
svnserve) or implement something like digest authentication that apache
uses.

As Karl pointed out later in the thread, implementing rot13 isn't going
to get rid of the emails. It isn't going to make things more secure.
If you think someone walking past your monitor is going to memorize a
password why can't they memorize the rot13 version of it and walk back
to their workstation and do: echo foo | rot

Adding a trivial cipher does not change the problem, it just hides it.
Greg suggests some excellent solutions to the problem in the short and
long term in his posts.

However, the client side problem is much trickier. In order for caching
to work with all authentication protocols we must cache the plaintext
password.

To this end I agree, I'm tired of hearing this complaints. So I'm
taking it upon myself to fix these issues. This means I'll be working
on svnserve to make it support additional authentication methods and
implementing svn-agent for the client side.

-- 
Ben Reser <ben@reser.org>
http://ben.reser.org
"Conscience is the inner voice which warns us somebody may be looking."
- H.L. Mencken
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Mon Feb 28 22:39:28 2005

This is an archived mail posted to the Subversion Dev mailing list.